Millions of Android users have been hit by malware posing as games on Google Play, according to Avast security researcher Flip Chytry.
The malware harbors fake ads that pop up when users unlock their devices, to warn them about nonexistent infections, or that their devices are out of date or have porn.
Victims are then asked to take action. If they agree, they are redirected to poisoned Web pages that contain dubious app stores, or apps that try to send premium SMS messages — which are expensive — without their knowledge, or apps that collect scads of personal information on the sly.
Sometimes users were directed to legitimate companies’ websites, or to security apps on Google Play, but even if they install these security apps, the unwanted ads keep on popping up.
“Some of the malware lies quiet for up to 30 days before activating,” Chytry said.
Google spokesperson Elizabeth Markman did not confirm how many devices had been hit.
“Our techniques for protecting Google Play users continue to improve, and are reflected in the low numbers of users who install potential malware from the Google Play Store,” Markman stated.
About the Apps Breaking Bad
The Durak card game app was the most widely downloaded of the malicious apps, Chytry said, adding that Google Play’s statistics showed it had been installed between 5 million and 10 million times.
All the apps mentioned by Avast had been suspended, Markman told TechNewsWorld.
The Durak app had been removed from Google Play when TechNewsWorld checked at 8:43 a.m. PT today, but was available when checked at 12:06 p.m. PT.
“We scan apps as they are uploaded to Google Play, running each app to detect and remove malware, spyware and Trojans from Google Play,” Markman told TechNewsWorld.
That scanning is done by Bouncer, a service Google implemented in 2012.
Google can then disable developer apps and accounts if they violate its terms and content policies.
“Our goal is to provide people with an extra layer of protection while still maintaining Android’s openness and developers’ workflow,” Markman remarked.
What Went Wrong?
Google’s app scanning process may have missed the malware because “they rely mostly on static code analysis and the app in question may have used a ‘time bomb’ method — waiting a period of time before downloading and executing the malware,” Patrick Murray, vice president of products at Zimperium, told TechNewsWorld.
This is a core vulnerability when it comes to apps, Murray pointed out, because all mobile apps must communicate frequently with a server to complete updates, receive instructions and perform other tasks.
Additionally, Google’s scanning services are not adequate because scanning “is only as good as the signature database it has from the service provider,” Andrew Blaich, lead security analyst at Bluebox Labs, said. “It takes several different malware scanning programs to catch all known malware on a device since they all scan for different things.”
Google’s policy of openness is the problem because the resulting business model and architecture “make Android very difficult for them to secure,” Murray said.
Anatomy of a Takedown
In April 2014, Google enhanced its “Verify” apps to continually check devices to make sure all apps are behaving in a safe manner even after they’re installed.
However, this service “only works after an app is identified as bad,” Blaich told TechNewsWorld.
Google’s “Bouncer” service “works more along the lines of risk management,” Blaich remarked. “If enough red flags show up, then an app becomes a candidate for takedown.”
Protecting The Enterprise
Malware downloaded onto BYOD devices “can easily compromise the enterprise network by stealing corporate credentials or simply bringing the compromised device back onto the network,” Zimperium’s Murray warned.
Businesses “need to think about expanding their BYOD initiatives to go beyond simple management of devices, and employ solutions on the device that prevent these types of cyberattacks,” Murray suggested. For example, they could monitor devices continuously so malware “is caught whenever it is delivered, even if it tries to lie and wait for a period of time before detonation.”